1. The document proposes using a simple game of hide-and-seek to abstractly model cybersecurity problems.
2. It explores strategies for hiders and seekers in this game, finding that hiders can favor some locations significantly before their behavior becomes exploitable. It also finds little benefit to seekers conducting a partial search based on probability information.
3. Further work is suggested to model more complex hider and seeker behaviors, topologies, and the ability of agents to change strategies dynamically.
17. Claim: A number of different Cyber Security problems
can be abstracted to a simple game of ‘Hide-And-Seek’
9
18. Claim: A number of different Cyber Security problems
can be abstracted to a simple game of ‘Hide-And-Seek’
. . . therefore . . .
We are motivated to explore strategies for seeking (and,
ultimately, hiding) in this game.
9
19. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
10
What is the structure of a H&S game?
20. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
10
What is the structure of a H&S game?
32. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Assuming no knowledge of an opponent it is intuitive to conceal these objects randomly.
Hider Seeker
10
33. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
In this instance, the best a seeker can do is conduct a random walk.
Hider
Seeker
10
36. Sohowcanwestrategise?
In reality, hiders (attackers) are either unable or unwillingto
express randomness [Rubinstein, 1999]
- Bug’s in code
- Human fallibility
- Infrastructure constraints
- Perceived ‘secrecy’ of locations
11
37. Sohowcanwestrategise?
In reality, hiders (attackers) are either unable or unwillingto
express randomness [Rubinstein, 1999]
- Bug’s in code
- Human fallibility
- Infrastructure constraints
- Perceived ‘secrecy’ of locations
Repeatbehaviour
11
45. 1. How muchof this bias needs to be exhibited before a
hider’s repetitions become exploitable?
2. How many bias nodes need to be included a directed search
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deceptionon the part of the hider?
14
46. 1. How muchof this bias needs to be exhibited before a
hider’s repetitions become exploitable?
2. How
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
14
48. 15
Bias does not have an impact until ~ b = 45
‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject
49. 15
Bias does not have an impact until ~ b = 45
‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject
If it is costly for a Seeker to employ
a non-random strategy, does not need to do
so below this amount of bias
50. 15
Bias does not have an impact until ~ b = 45
‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject
Hider can afford to favour a node significantly
before his behaviour becomes exploitable by
the seeker
If it is costly for a Seeker to employ
a non-random strategy, does not need to do
so below this amount of bias
51. 1. How muchof this bias needs to be exhibited before a
hider’s repetitions become exploitable?
2. How
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
16
52. 1. How
hider’s repetitions become exploitable?
2. How many bias nodes need to be included a directed search
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
16
55. 17
Little benefit to conducing a search with only partial
knowledge
Lookingformultiplehiddenobjects
12.0
12.5
13.0
13.5
14.0
14.5
15.0
15.5
16.0
16.5
17.0
0 5 10 15 20 25 30 35 40 45 50
Number of High Probability Nodes Included in Search (r)
Random Exploit (0 ≤ r < n)
AverageCostofGames(log2)
Assume‘perfect’informationonopponent
Totalnumberofhiddenobjects
Probability information only becomes useful when
used to locate almost all hidden objects
56. 17
Little benefit to conducing a search with only partial
knowledge
Good news for the hider again: the number of nodes he
can be biased towards, as well as the degree, is highLookingformultiplehiddenobjects
12.0
12.5
13.0
13.5
14.0
14.5
15.0
15.5
16.0
16.5
17.0
0 5 10 15 20 25 30 35 40 45 50
Number of High Probability Nodes Included in Search (r)
Random Exploit (0 ≤ r < n)
AverageCostofGames(log2)
Assume‘perfect’informationonopponent
Totalnumberofhiddenobjects
Probability information only becomes useful when
used to locate almost all hidden objects
57. 1. How
hider’s repetitions become exploitable?
2. How many bias nodes need to be included a directed search
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
18
58. 1. How
hider’s repetitions become exploitable?
2. How
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deceptionon the part of the hider?
18
59. 19
14
15
16
0 5 10 15 20 25 30 35 40 45 50
AverageCostofGames(log2)
Number of High Probability Nodes Included in Search (r)
Random Exploit
60. 19
14
15
16
0 5 10 15 20 25 30 35 40 45 50
AverageCostofGames(log2)
Number of High Probability Nodes Included in Search (r)
Random Exploit
When we don’t know the portion of objects
which are hidden with bias, difficult to strategise
against
61. 19
14
15
16
0 5 10 15 20 25 30 35 40 45 50
AverageCostofGames(log2)
Number of High Probability Nodes Included in Search (r)
Random Exploit
When we don’t know the portion of objects
which are hidden with bias, difficult to strategise
against
r is arbitrary; should be symmetrically random
67. 1. The performance of both Hiders and Seekers when
there are a varying number of items to find.
21
68. 1. The performance of both Hiders and Seekers when
there are a varying number of items to find.
21
2. Performance of agents on different topologies (fully
connected, so movement not constrained).
70. 1. Hiders who are also constrained by the topology.
22
71. 1. Hiders who are also constrained by the topology.
22
2. ‘Intelligent’ hiders who also track seeker’s
behaviour, if repetitions exist (i.e. start point).
72. 3. Edge by edge probability scores for boththe Seeker
and Hider.
1. Hiders who are also constrained by the topology.
22
2. ‘Intelligent’ hiders who also track seeker’s
behaviour, if repetitions exist (i.e. start point).
74. 1. Agents with a ‘strategy portfolio’ who are able to
switch between these strategies on-the-fly.
23
75. 2. Agents with a self-analysis component, allowing
them to judge their own performance, and change
strategy as appropriate.
1. Agents with a ‘strategy portfolio’ who are able to
switch between these strategies on-the-fly.
23